<?php
/**
 * AJAX Handler for Login: logs a user in
 * 
 * I have made sure Libdebug is silent in AJAX. This is because it can intefere with the HTML/Javascript as Libdebug Appends after </html>.
 * If you have a problem and need to debug comment $_LIBDEBUG->silence(); (the framework must also be in debugging mode for this to work)
 */

    $_ECLIPSEMDE = array();
    
    // Disable Templating System
    $_ECLIPSEMDE['TEMPLATING'] = false;
    require_once('../../SiteIncludes.GLOBAL.php');
    
    if(EclipseMDE::runningOnMod_Rewrite() === false) {
	// Security Guard, Do Not Let This be accessed by any other means than mod_rewrite
	header('HTTP/1.1 400 Bad Request');
	die($nok_caller);
    }
    //$_LIBDEBUG->silence();
    
    /*$_LOGGEDINSESSION = new UserSession();
    $_LOGGEDINSESSION->createNewSession($userid);*/
    
    $return_head = <<<EOHEAD
	<!DOCTYPE html>
	    <html>
	    <head><title></title></head>
	    <body>
		<script type="text/javascript">
EOHEAD;
    $return_nok = 'parent.EDJXConfirmer.show_nok();';
    $return_body = $return_nok.' parent.login.SubmitCallback(false, \'<b>Unknown Error Occured</b>.<br /><i>Please try again later</i>\');';
    $return_ok = 'parent.EDJXConfirmer.show_ok();';
    $return_foot = <<<EOFOOT
		</script>
	    </body>
	</html>
EOFOOT;
    
    if(isset($_LOGGEDINSESSION) === false) {
	if(isset($pVAR['ib_text_username']) === true && isset($pVAR['ib_text_password']) === true && strlen($pVAR['ib_text_username']) > 0 && strlen($pVAR['ib_text_password']) > 0) {
	    $safe_username = $sql_conx->real_escape_string($pVAR['ib_text_username']);
	    $plaintext_password = $pVAR['ib_text_password'];
	    
	    // Attempt to match username => username
	    $query = $sql_conx->query("SELECT `uid`, `password`, `signup_time`, `priv_ban` FROM `users` WHERE `username`='{$safe_username}'");
	    if($query !== false && $query->num_rows > 0) {
		// Matched username => username
	    } else {
		// Did they try to login with their email?
		// Attempt to match username => email
		$query = $sql_conx->query("SELECT `uid`, `password`, `signup_time`, `priv_ban` FROM `users` WHERE `email`='{$safe_username}'");
	    }
		// ^ REMEMBER: matches with query inside if statement if first one fails
	    if($query !== false && $query->num_rows > 0) {
		// Lets see if their passwords match
		$row = $query->fetch_assoc();
		$signup_hash = $row['signup_time'];
		$uid = $row['uid'];
		$hashed_pw = $row['password'];
		$plaintext_hashed = Password::hashPassword($plaintext_password, $signup_hash);
		if(strcmp($plaintext_hashed, $hashed_pw) === 0) {
		    if($row['priv_ban'] == '0') {
			// Password matches - create session
			$_LOGGEDINSESSION = new UserSession();
			$_LOGGEDINSESSION->createNewSession($uid);
			$return_body = $return_ok.' parent.login.SubmitCallback(true, \'\');';
		    } else {
			$return_body = $return_nok.' parent.login.SubmitCallback(false, \'<b>Sorry</b>.<br /><i>Your account is disabled, please contact an administrator.</i>\');';
		    }
		} else {
		    $return_body = $return_nok.' parent.login.SubmitCallback(false, \'<b>Sorry</b>.<br /><i>Invalid username or password.</i>\');';
		}
		
	    } else {
		// Invalid username
		$return_body = $return_nok.' parent.login.SubmitCallback(false, \'<b>Sorry</b>.<br /><i>Invalid username or password.</i>\');';
	    }
	} else {
	    $return_body = $return_nok.' parent.login.SubmitCallback(false, \'<b>Whoops</b>.<br /><i>Please fill out the entire form</i>\');';
	}
    } else {
	$return_body = $return_nok.' parent.login.SubmitCallback(false, \'<b>You are already logged in</b>.<br />\');';
    }
    
    echo $return_head.$return_body.$return_foot;
?>
